So, you’ve heard about all of the recent breaches and don’t want to be the one who causes the next. Hopefully what you learn here today will help you achieve that goal. Applying best security practices isn’t difficult, it just takes a little thought and effort.
Passwords aren’t tricky. The more complex, the less likely they are to be broken. When you create a password, try to think “passphrase” instead. You should also use alternate characters where allowed. For example, instead of “Rainbow123”, you should use “0c3anR@!nb0w”. The second one is magnitudes more secure. When creating a passphrase, use two words that you’d never find together. Another example is “BeachBone”. Have you ever heard of a beach bone? Probably not. But because it’s so odd, it will stick out and be easy to remember. Just convert it: “B3@ch80n3!@”.
Your company will likely have a policy in place that mandates password changes every 90 days, but I’ve been in environments that don’t. If that’s your case, practice due diligence and change your password every 90 days. Remember, the more complex, the more secure.
Never, ever write your passwords down, and don’t store them in spreadsheets or any other digital format. Some of the best security is what you know. Keep your passwords as something only you know. With that, don’t use the “save password” feature of browsers. Browser scraping is one of the easiest things to do once a system has been compromised, and the results can be a goldmine.
Examples of weak passwords include:
- Passwords containing 8 characters or less
- Passwords created from birthdates, names, addresses, phone numbers, etc.
- Passwords containing repeating patterns, such as “Star8899” or “xxyyzz”
- Incremental iterations such as “Password1”, “Password2”, and so on
- Any version of “Welcome123”, “Password123”, etc
Examples of strong passwords:
- 0c3anR@!nb0w – a decent passphrase
- @pp13w@$h3r ! – Yes, that is a space after “r”
- g5F&63#(q!T%5! – This is complex. There’s no pattern to this, I just pressed keys. Out of the three passwords, this one is the most secure.
The more complex a password is, the more difficult it is to remember. To help with that, there are numerous password vault applications available. I personally use Keepass. 1Password is also a viable solution.
As with the password policy, your organization likely has a software installation policy as well. In a perfect world, an end user wouldn’t be able to install anything on their system. But we don’t live in a perfect world, do we? Don’t install things off the internet. If you need a piece of software, talk to your IT department. Be prepared to justify your need and provide a use case. The IT team will review the software and approve or deny it based on their findings. The IT team isn’t there to make your life harder, just more secure. Chances are, if the software poses no risk, it will be approved. This is not a situation where it’s “Better to shoot first and ask for forgiveness later”. Your apology could end up falling on deaf ears as you’re being escorted out of the building.
Here’s an easy one: Lock your workstation. You can do this quickly by pressing Windows key + L. If you’re walking away from your system, lock it. It only takes a few seconds to enter your password and that time is worth the integrity of your system and the work you perform on it.
Another good practice to follow is the “Clean desk” policy. Keep all of your important or sensitive documents locked in a drawer when you’re away from your desk. Practice “Need to know”.
Avoid the use of unauthorized USB devices. Don’t plug in any random USB drives you come across. Take them to your IT department so that they can determine what’s on the USB stick.
Don’t share your mobile workstation unless specifically instructed to do so. We all like to think no one has any malicious intents, but you never know. You could loan your laptop to someone that could end up sticking a malicious USB drive in, or potentially picking up a malicious file through the internet. Remember: Confidentiality & Integrity can’t be maintained if you allow others to access your system.
Your IT Department will have a backup system in place. Most companies store your home drive on a network server, and that data is often included in backup cycles. If your company implements this, be sure to save your important documents to the networked home drive. In the event that your PC crashes, your data will be safe. However, don’t abuse this privilege. Storage space is limited and shared. Don’t be that guy/gal that had 75Gb worth of media from your iPhone stored on the corporate home drive. You won’t like the attention that will draw towards you. The corporate network storage is not your personal Dropbox.
Email. Email is a perfect example of a win-lose situation. Email is critical to corporate operations, but is also one of a corporation’s most vulnerable points. Phishing scams are more prevalent than ever, as convincing you to open a malicious Word document (DO NOT ENABLE MACROS!) is the easiest way into a corporate network today. And people fall for phishing emails every minute of every day. Many of the emails you’ll see are obvious scams. Most just take a bit of thinking. If you’re a call center employee, do you really think the CEO would be asking you to process a check when he has a fully qualified Finance department? I use this example because sadly, I once had a Tier 1 call center rep fall for the “CEO Check” scam. On top of that, the CEO isn’t emailing anyone that doesn’t directly report to him in most cases. General employees won’t see email from the CEO unless they’re working directly with him or it’s a company wide communication. The same can be said for all C-level employees. The best way to stay safe and keep the IT Boffins happy is to never click links from unknown senders. Double check the sender’s address, if it looks suspicious, it probably is. Don’t be afraid to forward the email to your IT Security department for clarity. We would much rather you be paranoid than compromised.
While some organizations allow employees to receive personal email at their business address, I strongly recommend against this. Not only does this put your corporate email address out in the wild, it wastes valuable storage space on email servers. “But the email is only 75kb” you say. Sure. Let’s say you work with 500 other people who all receive one 75kb message an hour. That’s 300Mb a day lost, or 9Gb a month. 108Gb a year. Seems small, but every bit of free space counts. As businesses continue to amass more data, they in turn amass more costs to store that data.
None of that covers the obvious when it comes to personal email in a corporate inbox: Malicious files. Don’t be the one to compromise your company because you couldn’t check your personal email on your phone or decided to use your corporate email address to sign up for something.
Don’t leave your badge exposed when you leave for the day. If it’s in your purse, make sure it’s tucked down. Badge swiping happens. This may seem extreme, but if nothing else, not wearing your badge after work hours prevents you from blasting your name around. You never know.
Don’t piggy back doors. We all want to out of courtesy, but we can’t be sure the person coming in behind you is supposed to be there. If you’re in a group that you know, everyone should badge in. Not only does this verify identity, but it also lets management know if you’re in or out of the building during an emergency. Again, a simple thing that takes half a second, but could save tons of time in the long run. A lot of companies today have some form of a Security Guard. If you see something, say something. You could end up being wrong, but it’s better to be safe than sorry, right?
Physical Security is primarily the responsibility of the InfoSec team and Security Guards, but both teams rely on you to practice due diligence to help keep things secure, and therefore safe. Some concepts, such as “No piggybacking” rely entirely on your cooperation.
Waste & Abuse
While these two aren’t specifically related to Security, I feel like they’re worth mentioning. Waste & Abuse are two things every company faces, intentional or not. Every corporate dollar lost to waste is a dollar that could have been in your department budget or maybe even your bonus. An example of waste would be printing documents that didn’t need to be in hard-copy form. Abuse would be printing eBooks from your corporate network. Just because you can doesn’t mean you should. Keep in mind most corporate printing systems are monitored. Print too much too often and you may end up hearing from your Management or IT Department.
Waste & Abuse extend further than the digital domain. Waste could even be something as simple as paper towels being loaded into the automatic dispenser incorrectly. I noticed our machine had somehow doubled up the paper towels it was ejecting. Sure, double paper towels is a small thing. But your monthly budget for paper towels is $20, you can’t utilize $40 worth in a month. Again, I know this is a basic example, but it should make Waste easy to understand.